Thomas Jefferson University

Main menu:

Security &
Responsible Use Policies


The IS&T site, located at, has been updated. Please go to the new site for the latest information and direction regarding your needs. GO TO NEW SITE >

Visit the University Policies section of Blackboard to view any of the IS&T Security Polices as issued by TJU. Click Student policies to review student policies and disclaimers.

In order to review these policies, you must log in to Blackboard and click on the University Policies link from the Links left navigation. You may use the search field (on the left navigation) to locate the following policies, or by policies titles as identified below.

Thomas Jefferson University
University Information Technology Council

Revised Date Policy Name Summary
7/17/2013 Access Controls This policy focuses in detail on the combination of policy and technical solutions that support Jefferson’s ability to create, implement, and maintain access to systems.
2/4/2008 Activity Review of Information System Security This policy describes the how the review of information systems activity within Thomas Jefferson University (Jefferson) provides a mechanism to monitor user activity as outlined in the HIPAA Security Rule.
2/4/2008 Assignment and Management of Information Access Privileges This policy describes how Jefferson will maintain workforce clearance and authorization access profiles to specify which EPHI may be used by workforce members in each job class. These profiles will specify the data elements that comprise protected health information (PHI).
2/4/2008 Assignment of Security Responsibility This policy describes the position of Director of IS&T Security and Policy as described by the final federal HIPAA regulations relating to the security of all PHI.
2/15/2008 Audit Controls This policy defines the internal security controls, including the implementation of hardware, software and procedures that record and examine activity in information systems that contain or use electronic protected health information (EPHI).
2/15/2008 Authentication of Person or Entity This policy defines how Jefferson uses a combination of operational practices and technological solutions to validate or authenticate that a person or entity attempting access to EPHI in Jefferson’s possession is the one claimed to be.
2/15/2008 Device and Media Controls This policy describes the Device and Media controls that govern the receipt, movement, and removal of hardware elements and electronics media into and out of Jefferson.
9/9/2002 Electronic Communications and Information This policy defines the acceptable use of Jefferson electronic communication services, such as computers, email, internet access and Fax transmissions.
2/15/2008 Electronic Transmission Security of Protected Health Information This policy describes the methods used by Jefferson to use data protection mechanisms equal in strength to the level of risk associated with such data.  Jefferson uses a combination of operational practices and technological solutions to ensure the confidentiality, integrity, and availability of PHI while it is in transit from one location to another location over an electronic communications network.
2/15/2008 Email and Protected Health Information This policy describes the conditions under which patient information can be emailed outside of the private Jefferson network.
2/15/2008 Facsimile Machines and Protected Health Information This policy describes the approved methods for transmitting patient data using a fax machine.
2/1/2008 General Guidelines to Safeguard Protected Health Information This policy presents the safeguards used by Jefferson to meet 45 CFR § 164.530(c) requirements.
2/15/2008 Integrity This policy describes how Jefferson maintains a comprehensive internal security control program coordinated by IS&T to protect EPHI from improper alteration or destruction (also known as data integrity).
9/30/03 Network Equipment and Services This policy describes the process for acquiring, installing or modifying network equipment and services used by Jefferson personnel in a Jefferson owned or leased facility.
8/1/1995 Personal Computer Purchases This policy refers to the acquisition of personal computer hardware, software and services to support the activities of Jefferson. It is intended to ensure maximum capability for electronic communications, data exchange, and to achieve economics of scale wherever possible from Jefferson technology investments
8/5/2008 Policies and Guidelines on Work Station Use and Security This policy addresses the information sources being accessed, the manner in which those sources are accessed, the activities that take place with those information sources, and any necessary requirements for the safeguarding of the workstations and work areas where these activities take place.
1/1/2004 Requests for Development of Information Systems This policy describes that IS&T Constituency Committees exist to help align requests for information technology resources to the University's information technology strategic plan and University missions.
2/4/2008 Sanctions For Violating Privacy & Security Policies & Procedures This policy details the sanctions members of the Jefferson workforce could face if they violate established privacy and or security policies that relate to the privacy and security of patient data
4/11/2008 Single Device Remote Access Policy The purpose of this policy is to define standards for connecting to Jefferson’s private network.
2/4/2008 Training Program: Security Awareness & Training to Safeguard Electronic PHI This policy describes the methods used by Jefferson to train and educate Jefferson stakeholders on their HIPAA Security Rule obligations.
4/1/1994 University Information Security Policy This policy describes that Jefferson regards information as an essential asset, and that it is subject to a level of protection commensurate with its value.
4/11/2008 Wireless and Portable Device Security Policy This policy applies to all laptops/tablet PCs, PDAs, smart phones or portable storage (Portable Devices) that contain or interact with EPHI.  This policy helps ensure the security of portable devices and will help protect both the machine and the information it contains from unwanted use.